7

Somehow, and at some point, I believe recently, my system decided to add the com.apple.quarantine attribute to some files. It was quite a pain and was stopping me running scripts that I'd written in my own editor (BBEdit, that I've used without problems for years till the last few days). I located the problem (the xattrs) and added BBEdit to System Preferences > Security & Privacy > Privacy > Full Disk Access. Now new files are okay.

To track down other files I ran /usr/bin/find ~ -xattrname com.apple.quarantine but there were quite a few files so I redirected it to a file on my desktop.

The file is 130M large.

I notice there are a lot of git object files in there, but there's a ridiculous number of files there. Is this normal? If not, and I'm going to reckon it's not correct, how can I stop this from happening again?

  • Should I add, for example, git to Full Disk Access?
  • Is Full Disk Access the correct permission to relieve an app of this burden?
  • Would I have to do this for all apps that download anything?
  • Why would it suddenly become an issue now?

I will fix this by running xattr -rd com.apple.quarantine DIR but I'm not entirely sure I should run it across ~ even though it's irritated me enough to want it gone from anything, even actual viruses.

This is not a duplicate of What should I do about com.apple.quarantine? because of the scope and context, I would think it normal to have this happen to the odd download, not my entire account (and I haven't checked beyond that yet).

Any help or insight will be gratefully received.

ian
  • 382
  • 1
  • 5
  • 19
  • `com.apple.quarantine` doesn't just get set for the odd download - it gets set for all files created by quarantine enabled apps, see [What causes OS X to mark a folder as Quarantined?](https://apple.stackexchange.com/a/104875/115093). I have thousands of such files - everything I've ever unzipped, caches for Browsers, MS Office, AppStore etc so yes it is normal. As mentioned in the link you can see what added it with `xattr -p com.apple.quarantine ` - is something in particular causing you issues? I doubt granting *Full Disk Access* to all internet using apps is the best solution. – lx07 Apr 16 '20 at 10:11
  • @lx07 The real problem is I'm creating files with my editor and they're being marked as quarantined, which doesn't appear to fit the criterion in that answer. Because they're marked as quarantined they're not able to run even after being marked with `chmod +x`. The best solution is the one that allows me to get on with my work, I'm all for security - but from scripts I wrote? – ian Apr 16 '20 at 10:27
  • Are you using BBEdit from the Mac App Store? If so, try the [direct download version](https://www.barebones.com/products/bbedit/download.html), which doesn't have to comply with the App Store restrictions like sandboxing. – Gordon Davisson Apr 18 '20 at 02:51
  • @GordonDavisson Thanks for the suggestion, it's the direct downloaded version already. – ian Apr 18 '20 at 06:53
  • Extended attributes are not just flags but key=>value stores. They have a payload that can be read by `getxattr`, which means that a file having the `com.apple.quarantine` attribute isn't necessarily quarantined. I depends on the contents of that attribute. – Bachsau Nov 20 '21 at 13:13

1 Answers1

5

As BBEdit had been erroneously marked with com.apple.quarantine it meant that all files created that way were also marked. The solution was to run xattr -dr com.apple.quarantine /Applications/BBEdit.app and then restart the app. From that point on, new items created via BBEdit were not marked.

I also ran this monster:

/usr/bin/find ~ -xattrname com.apple.quarantine -type f \
-exec sh -c 'printf "%s" {}; \
  xattr -p com.apple.quarantine {} 2>/dev/null | \
  grep -q BBEdit && xattr -d com.apple.quarantine {} &&\
  printf " - quarantined\n" || printf "\n" ' {} \;

Which took hours. Still, it's gone now.

Edit: I've had to unmark (my own answer!) this as correct because the quarantining is back even though BBEdit now is not marked as quarantined. I lament.

Further edit: After further investigation I found that the app was indeed fixed by removing its quarantine attribute and that the problem I was having now was only with its command line tools. I emailed the creators of BBEdit and they were very helpful and by changing the setting given here the problem has been fixed.

ian
  • 382
  • 1
  • 5
  • 19
  • I just ran `sudo xattr -dr 'com.apple.quarantine' / 2>/dev/null` without any consequences. This attribute is not needed in any way by anything. – Bachsau Nov 20 '21 at 13:09